kube/alrest/gitea: harden

Signed-off-by: Xe Iaso <me@xeiaso.net>

4 files changed, 57 insertions, 11 deletions

diff --git a/kube/alrest/gitea/1password.yaml b/kube/alrest/gitea/1password.yaml
index e11a542..645df23 100644
--- a/kube/alrest/gitea/1password.yaml
+++ b/kube/alrest/gitea/1password.yaml
@@ -4,3 +4,10 @@ metadata:
   name: tigris-creds
 spec:
   itemPath: "vaults/Kubernetes/items/Tigris creds"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: gitea-secrets
+spec:
+  itemPath: "vaults/Kubernetes/items/Gitea Secrets"
\ No newline at end of file
diff --git a/kube/alrest/gitea/deployment.yaml b/kube/alrest/gitea/deployment.yaml
index 7c48085..f58fab2 100644
--- a/kube/alrest/gitea/deployment.yaml
+++ b/kube/alrest/gitea/deployment.yaml
@@ -7,18 +7,29 @@ data:
   USER_UID: "1000"
   USER_GID: "1000"
 
-  # GITEA__storage__STORAGE_TYPE: minio
-  GITEA__storage__STORAGE_TYPE: local
-  GITEA__storage__SERVE_DIRECT: "true"
+  GITEA__storage__STORAGE_TYPE: minio
+  #GITEA__storage__STORAGE_TYPE: local
+  GITEA__storage__SERVE_DIRECT: "false"
   GITEA__storage__MINIO_ENDPOINT: minio.xeserv.us
   GITEA__storage__MINIO_BUCKET: gitea
+  GITEA__storage__MINIO_LOCATION: auto
   GITEA__storage__MINIO_USE_SSL: "true"
-  GITEA__storage__MINIO_ACCESS_KEY_ID: "qI118JbfKI7jSoIODniy"
-  GITEA__stroage__MINIO_SECRET_ACCESS_KEY: "dIOfpszdPDKLurcppvic68TJcscZ4NZbgJr30RaX"
   GITEA__service__DISABLE_REGISTRATION: "false"
   GITEA__service__REGISTER_MANUAL_CONFIRM: "true"
   GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
   GITEA__server__SSH_DOMAIN: "git.gitea.svc.alrest.xeserv.us"
+  GITEA__service.explore__REQUIRE_SIGNIN_VIEW: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-custom
+data:
+  robots.txt: |
+    User-agent: *
+    Disallow: /
+  # "templates/custom/header.tmpl": |
+  #   <meta name="robots" content="noindex" />
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -32,6 +43,8 @@ metadata:
     keel.sh/pollSchedule: "@hourly"
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       xeiaso.net/thing: http
@@ -49,10 +62,20 @@ spec:
         - name: internal-certs
           secret:
             secretName: gitea-internal-tls
+        - name: custom
+          configMap:
+            name: gitea-custom
       containers:
         - name: main
           image: gitea/gitea:1-rootless
           imagePullPolicy: Always
+          resources:
+            limits:
+              cpu: "2"
+              memory: "2Gi"
+            requests:
+              cpu: "1"
+              memory: "1Gi"
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -66,6 +89,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: gitea
+            - secretRef:
+                name: gitea-secrets
           ports:
             - name: http
               containerPort: 3000
@@ -80,6 +105,8 @@ spec:
             - name: data
               mountPath: /etc/gitea
               subPath: conf
+            - name: custom
+              mountPath: /var/lib/gitea/custom
           livenessProbe:
             httpGet:
               path: /api/healthz
diff --git a/kube/alrest/gitea/ingress.yaml b/kube/alrest/gitea/ingress.yaml
index a565213..98842b6 100644
--- a/kube/alrest/gitea/ingress.yaml
+++ b/kube/alrest/gitea/ingress.yaml
@@ -6,6 +6,19 @@ metadata:
     name: gitea
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/limit-rpm: "30"
+    # nginx.ingress.kubernetes.io/configuration-snippet: |
+    #   if ($http_user_agent ~* "(Amazon)" ){
+    #      return 444;
+    #   }
+    # nginx.ingress.kubernetes.io/configuration-snippet: |
+    #   if ($http_user_agent ~* "(Amazon)" ){
+    #      proxy_pass http://uncle-ted.default.svc.alrest.xeserv.us:80/gzip-bomb?url=$request_uri;
+    #   }
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      if ($http_user_agent ~* "(Amazon)" ){
+         proxy_pass http://uncle-ted.default.svc.alrest.xeserv.us:80/bee-movie?url=$request_uri;
+      }
 spec:
   ingressClassName: nginx
   tls:
diff --git a/kube/alrest/gitea/runner.yaml b/kube/alrest/gitea/runner.yaml
index b490da3..02d2fd1 100644
--- a/kube/alrest/gitea/runner.yaml
+++ b/kube/alrest/gitea/runner.yaml
@@ -1,10 +1,9 @@
-apiVersion: v1
-kind: Secret
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
 metadata:
   name: runner-secret
-stringData:
-  token: "lauI1MNpokCnDRUZ1LcS7cQKSyuMyI0UikmKCJcQ"
-type: Opaque
+spec:
+  itemPath: "vaults/Kubernetes/items/Gitea Runner Secrets"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -50,7 +49,7 @@ spec:
         imagePullPolicy: Always
         env:
         - name: GITEA_INSTANCE_URL
-          value: https://git.xeserv.us
+          value: http://git.gitea.svc.alrest.xeserv.us
         - name: GITEA_RUNNER_REGISTRATION_TOKEN
           valueFrom:
             secretKeyRef: